For information about Clickjacking and XFS attacks, see Section 8.2, Preventing Cross-Frame Scripting Attacks.
You can prevent both types of attacks by performing the following steps:
In the /opt/novell/nids/lib/webapp/WEB-INF/web.xmlfile, add the following tomcat filter configuration below any existing filter configurations:
<filter> <filter-name>TomcatSameOriginFilter</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> <filter-mapping> <filter-name>TomcatSameOriginFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Restart Identity Server.
Use a browser header trace tool to validate if the required X-Frame-Options header has been added.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=0 X-Frame-Options: SAMEORIGIN x-content-type-options: nosniff via-ESP: null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8, null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8,NIDPLOGGING.600105002 session220-C62485D33E58AD05D6F80C470E6A31D8 Cache-Control: max-age=0 Expires: Wed, 27 Apr 2016 13:12:43 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 863 Date: Wed, 27 Apr 2016 13:12:43 GMT
NOTE:You can also use the SameOriginFilter filter to prevent these attacks. However, recommendation is to use the TomcatSameOriginFilter. The following is the snippet for SameOriginFilter:
<filter> <filter-name>SameOriginFilter</filter-name> <description>The NIDP server anti-clickjacking filter.This filter adds 'X-FRAME-OPTIONS: SAMEORIGIN' header to http responses, and prevents cross domain framing of web pages as best as possible depending on browser compatibility.</description> <filter-class>com.novell.nidp.servlets.filters.jsp.SameOriginFramingFilter</filter-class> <init-param> <param-name>activate</param-name> <param-value>True</param-value> </init-param> </filter> <filter-mapping> <filter-name>SameOriginFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>